mbirth/LuckyCoinkydink
1
0
Fork 0
Code Issues Pull Requests Activity

Security fixes

Browse Source
This commit is contained in:
Garvin Hicking 2018-07-18 11:23:02 +02:00
parent e09b2600c6
commit 19513cdf14
4 changed files with 42 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
docs/NEWS
View File

@ -35,6 +35,18 @@ Version 2.x.x (major) ()
Version 2.1.3 () Version 2.1.3 ()
------------------------------------------------------------------------ ------------------------------------------------------------------------
* Security: Prevent XSS possibility in "edit entries" panel.
Thanks to @oreamnos and Hanno Boeck for reporting!
* Security: Disallow sending comment notifications and mails to more than one
mail address. This could be used to approving opt-ins of requests
that did not belong to the same email that was approved.
Thanks to Hanno Boeck for reporting!
* Security: Remove exit.php open redirect, when not using the trackexits-
plugin configured with Serendipity exit tracking.
Thanks to Julio Cesar (from infosec.com.br) and Hanno Boeck for reporting!
* Fix SQL compatibility for creating of table "serendipity_groupconfig" * Fix SQL compatibility for creating of table "serendipity_groupconfig"
* Added new "legal" plugin property bag attribute to indicate * Added new "legal" plugin property bag attribute to indicate

25
exit.php
View File

@ -4,7 +4,9 @@
include 'serendipity_config.inc.php'; include 'serendipity_config.inc.php';
$url = $serendipity['baseURL']; $url = $serendipity['baseURL'];
$trust_url = false;
$open_redir = false;
if (isset($_GET['url_id']) && !empty($_GET['url_id']) && isset($_GET['entry_id']) && !empty($_GET['entry_id'])) { if (isset($_GET['url_id']) && !empty($_GET['url_id']) && isset($_GET['entry_id']) && !empty($_GET['entry_id'])) {
@ -14,6 +16,7 @@ if (isset($_GET['url_id']) && !empty($_GET['url_id']) && isset($_GET['entry_id']
if (is_array($links) && isset($links['link'])) { if (is_array($links) && isset($links['link'])) {
// URL is valid. Track it. // URL is valid. Track it.
$url = str_replace('&', '&', $links['link']); $url = str_replace('&', '&', $links['link']);
$trust_url = true;
serendipity_track_url('exits', $url, $_GET['entry_id']); serendipity_track_url('exits', $url, $_GET['entry_id']);
} elseif (isset($_GET['url']) && !empty($_GET['url'])) { } elseif (isset($_GET['url']) && !empty($_GET['url'])) {
// URL is invalid. But a URL-location was sent, so we want to redirect the user kindly. // URL is invalid. But a URL-location was sent, so we want to redirect the user kindly.
@ -26,9 +29,23 @@ if (isset($_GET['url_id']) && !empty($_GET['url_id']) && isset($_GET['entry_id']
} }
if (serendipity_isResponseClean($url)) { if (serendipity_isResponseClean($url)) {
header('HTTP/1.0 301 Moved Permanently'); if (serendipity_plugin_api::exists('serendipity_event_trackexits')) {
header('Status: 301 Moved Permanently'); // Get configuration of plugin
header('Location: ' . $url); $configValues = serendipity_db_query("SELECT value FROM {$serendipity['dbPrefix']}config WHERE name LIKE 'serendipity_event_trackexits:%/commentredirection'");
if (is_array($configValues)) {
foreach($configValues AS $configValue) {
if ($configValue['value'] == 's9y') {
$open_redir = true;
}
}
}
}
if ($trust_url || $open_redir) {
header('HTTP/1.0 301 Moved Permanently');
header('Status: 301 Moved Permanently');
header('Location: ' . $url);
}
} }
exit; exit;
/* vim: set sts=4 ts=4 expandtab : */ /* vim: set sts=4 ts=4 expandtab : */

8
include/admin/entries.inc.php
View File

@ -219,13 +219,13 @@ switch($serendipity['GET']['adminAction']) {
$sort_import = array('perPage', 'ordermode', 'order'); $sort_import = array('perPage', 'ordermode', 'order');
foreach($filter_import AS $f_import) { foreach($filter_import AS $f_import) {
serendipity_restoreVar($serendipity['COOKIE']['entrylist_filter_' . $f_import], $serendipity['GET']['filter'][$f_import]); serendipity_restoreVar($serendipity['COOKIE']['entrylist_filter_' . $f_import], serendipity_specialchars($serendipity['GET']['filter'][$f_import]));
$data["get_filter_$f_import"] = $serendipity['GET']['filter'][$f_import]; $data["get_filter_$f_import"] = serendipity_specialchars($serendipity['GET']['filter'][$f_import]);
} }
foreach($sort_import AS $s_import) { foreach($sort_import AS $s_import) {
serendipity_restoreVar($serendipity['COOKIE']['entrylist_sort_' . $s_import], $serendipity['GET']['sort'][$s_import]); serendipity_restoreVar($serendipity['COOKIE']['entrylist_sort_' . $s_import], serendipity_specialchars($serendipity['GET']['sort'][$s_import]));
$data["get_sort_$s_import"] = $serendipity['GET']['sort'][$s_import]; $data["get_sort_$s_import"] = serendipity_specialchars($serendipity['GET']['sort'][$s_import]);
} }
$perPage = (!empty($serendipity['GET']['sort']['perPage']) ? $serendipity['GET']['sort']['perPage'] : $per_page[0]); $perPage = (!empty($serendipity['GET']['sort']['perPage']) ? $serendipity['GET']['sort']['perPage'] : $per_page[0]);

5
include/functions_comments.inc.php
View File

@ -1003,6 +1003,11 @@ function serendipity_saveComment($id, $commentInfo, $type = 'NORMAL', $source =
$commentInfo['type'] = $type; $commentInfo['type'] = $type;
$commentInfo['source'] = $source; $commentInfo['source'] = $source;
// Secure email addresses, only one [first] allowed to not mail to multiple recipients
$mailparts = explode(',', $commentInfo['email']);
$commentInfo['email'] = trim($mailparts[0]);
serendipity_plugin_api::hook_event('frontend_saveComment', $ca, $commentInfo); serendipity_plugin_api::hook_event('frontend_saveComment', $ca, $commentInfo);
if (!is_array($ca) || serendipity_db_bool($ca['allow_comments'])) { if (!is_array($ca) || serendipity_db_bool($ca['allow_comments'])) {
if ($GLOBALS['tb_logging']) { if ($GLOBALS['tb_logging']) {